Re: [WEB SECURITY] ACL for application

["Ankur Jindal" <divinepresence@xxxxxxxxx>]

It wasn't about the code but about the format. Do you need to provide
a super admin all the rights that the lower level users have to
prepare for a disaster/mishap? Since there are user roles and
associated responsibilites, everyone's work set becomes limited and
hence lesser chance of elevation of privilege.
I may be wrong though.

On 1/9/07, Brian Eaton <eaton.lists@xxxxxxxxx> wrote:
> On 1/8/07, Ankur Jindal <divinepresence@xxxxxxxxx> wrote:
> > How are application level ACL's usually implemented?
>
> I'm not sure I understand your question.  Are you asking what the code
> looks like?  That usually depends on what kind of tools are built in
> to your deployment platform.  For example, for J2EE apps role-based
> security is normal.
>
> > Another thought was that we write down clearly what everyone can do
> > and leave nothing to assumptions/beliefs.
>
> This is a good idea, if not for implementation, at least for planning.
>  If you can't document it for other human beings, you probably can't
> implement the policy in a computer.
>
> Regards,
> Brian

----------------------------------------------------------------------------
The Web Security Mailing List: 
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]